S/MIME revocation lists signed by different CA?

Bernhard Reiter bernhard at intevation.de
Mon Aug 2 22:14:54 CEST 2010

Today I saw dirmngr 1.0.4-svn319 accept a certificate
where the certificateRevocationList has been issued
by a different CA which is not identical to the issuer
of the certificate itself.

User A Cert, Issued by CA A, CRL issued by CA B
CA A by Root A   and     CA B by Root B

both roots are trusted, somehow I still would expect
dirmngr to reject the A certificate because the CRL
was not signed by CA A, the same authority that issued it.

Okay, I am trusting Root B, but maybe not for revoking
other certificates. Otherwise if an attacker could redirect my 
CRL request and it is an advantage for them that the checking
is not that strict.

With OCSP that might be different when I define a trusted
host that could verify all CAs.

Managing Director - Owner: www.intevation.net       (Free Software Company)
Deputy Germany Coordinator: fsfeurope.org. Coordinator: Kolab-Konsortium.com.
Intevation GmbH, Neuer Graben 17, Osnabrück, DE; AG Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

More information about the Gnupg-devel mailing list